PGP Desktop for Windows

User's Guide 10.2

The software described in this book is furnished under a license agreement and may be used only in accordance with the terms of the agreement. Version 10.2.0. Last updated: July 2011.

Legal Notice Copyright (c) 2011 Symantec Corporation. All rights reserved.

Symantec, the Symantec Logo, PGP, Pretty Good Privacy, and the PGP logo are trademarks or registered trademarks of Symantec Corporation or its

affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.

The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering.

No part of this document may be reproduced in any form by any means without prior written authorization of Symantec Corporation and its licensors, if

any.

THE DOCUMENTATION IS PROVIDED"AS IS"AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING

ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT

TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR

INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION.

THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.

The Licensed Software and Documentation are deemed to be commercial computer software as defined in FAR 12.212 and subject to restricted rights

as defined in FAR Section 52.227-19 "Commercial Computer Software - Restricted Rights" and DFARS 227.7202, et seq. Commercial Computer

Software and Commercial Computer Software Documentation, as applicable, and any successor regulations. Any use, modification, reproduction

release, performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government shall be solely in accordance with

the terms of this Agreement.

Symantec Corporation

350 Ellis Street

Mountain View, CA 94043

Symantec Home Page (http://www.symantec.com)

Printed in the United States of America.

10 9 8 7 6 5 4 3 2 1

http://www.symantec.com/

1

Contents

About PGP Desktop 10.2 for Windows

What's New in PGP Desktop Version 10.2 for Windows 1

Using this Guide 2

Managed versus Unmanaged Users 3

Conventions Used in This Guide 3

Who Should Read This Document 4

About PGP Desktop Licensing 4

Licensing PGP Desktop for Windows 4

Checking License Details 5

If Your License has Expired 6

Technical Support 7

Contacting Technical Support 7

Licensing and registration 8

Customer service 8

Support agreement resources 9

PGP Desktop Basics 11

PGP Desktop Terminology 11

PGP Product Components 11

Terms Used in PGP Desktop 12

Conventional and Public Key Cryptography 13

Using PGP Desktop for the First Time 14

Installing PGP Desktop 17

Before You Install 17

System Requirements 17

Citrix and Terminal Services Compatibility 18

Installing and Configuring PGP Desktop 19

Installing the Software 19

Upgrading the Software 19

Licensing PGP Desktop 21

Running the Setup Assistant 21

Uninstalling PGP Desktop 22

Moving Your PGP Desktop Installation From One Computer to Another 22

The PGP Desktop User Interface 25

Accessing PGP Desktop Features 25

The PGP Desktop Main Screen 26

Using the PGP Tray Icon 27

Using Shortcut Menus in Windows Explorer 28

Using the Start Menu 29

PGP Desktop Notifier alerts 30

PGP Desktop Notifier for Messaging 30

PGP Desktop Notifier for Disk features 32

Enabling or Disabling Notifiers 33

ii Contents

Viewing the PGP Log 34

Working with PGP Keys 35

Viewing Keys 35

Creating a Keypair 36

Passwords and Passphrases 38

Protecting Your Private Key 38

Protecting Keys and Keyrings 39

Backing up Your Private Key 40

What if You Lose Your Key? 40

Distributing Your Public Key 40

Placing Your Public Key on a Keyserver 41

Including Your Public Key in an Email Message 42

Exporting Your Public Key to a File 42

Copying from a Smart Card Directly to Someones Keyring 43

Getting the Public Keys of Others 43

Getting Public Keys from a Keyserver 43

Getting Public Keys from Email Messages 44

Working with Keyservers 44

Using Master Keys 46

Adding Keys to the Master Key List 46

Deleting Keys from the Master Key List 47

Managing PGP Keys 49

Examining and Setting Key Properties 49

Working With Photographic IDs 50

Managing User Names and Email Addresses on a Key 51

Importing Keys and X.509 Certificates 52

Using the Import Certificate Assistant 53

Importing X.509 Certificates Included in S/MIME Email Messages 54

Changing Your Passphrase 54

Deleting Keys, User IDs, and Signatures 55

Disabling and Enabling Public Keys 55

Verifying a Public Key 56

Signing a Public Key 57

Revoking Your Signature from a Public Key 58

Granting Trust for Key Validations 59

Working with Subkeys 59

Using Separate Subkeys 61

Viewing Subkeys 61

Creating New Subkeys 62

Specifying Key Usage for Subkeys 62

Revoking Subkeys 63

Removing Subkeys 64

Working with ADKs 64

Adding an ADK to a Keypair 64

Updating an ADK 65

Removing an ADK 65

Working with Revokers 65

Appointing a Designated Revoker 66

Revoking a Key 66

iii Contents

Splitting and Rejoining Keys 67

Creating a Split Key 67

Rejoining Split Keys 68

If You Lost Your Key or Passphrase 69

Reconstructing Keys with PGP Universal Server 70

Creating Key Reconstruction Data 70

Reconstructing Your Key if You Lost Your Key or Passphrase 72

Protecting Your Keys 73

Securing Email Messages 75

How PGP Desktop Secures Email Messages 75

Incoming Messages 76

Verifying Signatures on Incoming Messages 77

Understanding Annotations on Incoming Messages 79

Outgoing Messages 79

Securing Sent Items on IMAP Email Servers 79

Sending MAPI Email with Microsoft Outlook 80

Using the Sign and Encrypt Buttons in Microsoft Outlook 81

Using Offline Policy 82

Services and Policies 83

Viewing Services and Policies 84

Creating a New Messaging Service 85

Editing Messaging Service Properties 88

Disabling or Enabling a Service 89

Deleting a Service 89

Multiple Services 90

Troubleshooting PGP Messaging Services 90

Creating a New Security Policy 92

Regular Expressions in Policies 96

Security Policy Information and Examples 97

Working with the Security Policy List 101

Editing a Security Policy 101

Editing a Mailing List Policy 102

Deleting a Security Policy 105

Changing the Order of Policies in the List 106

PGP Desktop and SSL 106

Key Modes 108

Determining Key Mode 109

Changing Key Mode 109

Viewing the PGP Log 110

Securing Instant Messaging 113

About PGP Desktop Instant Messaging Compatibility 113

Instant Messaging Client Compatibility 114

About the Keys Used for Encryption 114

Encrypting your IM Sessions 115

Viewing Email with PGP Viewer 117

Overview of PGP Viewer 117

iv Contents

Compatible Email Clients 118

Opening an Encrypted Email Message or File 118

Copying Email Messages to Your Inbox 119

Exporting Email Messages 120

Specifying Additional Options 120

Specifying Options in PGP Viewer 121

Security Features in PGP Viewer 121

Protecting Disks with PGP Whole Disk Encryption 123

About PGP Whole Disk Encryption 124

How does PGP WDE Differ from PGP Virtual Disk? 125

Licensing PGP Whole Disk Encryption 125

Using PGP Remote Disable and Destroy 126

Prepare Your Disk for Encryption 127

Supported Disk Types 128

Supported Keyboards 129

Supported Input Method Editors (IME) 131

Ensure Disk Health Before Encryption 131

Calculate the Encryption Duration 131

Maintain Power Throughout Encryption 132

Run a Pilot Test to Ensure Software Compatibility 132

Determining the Authentication Method for the Disk 133

Passphrase and Single Sign-On Authentication 133

Public Key Authentication 134

Token-Based Authentication 134

Two-Factor Authentication Using a USB Flash Device 134

Trusted Platform Module (TPM) Authentication 135

Setting Encryption Options 136

Partition-Level Encryption 136

Preparing a Smart Card or Token to Use For Authentication 137

Using PGP Whole Disk Encryption Options 139

Encrypting a Disk or Partition 141

Supported Characters for PGP WDE Passphrases 141

Encrypting the Disk 142

Encountering Disk Errors During Encryption 145

Using a PGP WDE-Encrypted Disk 145

Authenticating at the PGP BootGuard Screen 146

Selecting Keyboard Layouts 151

Using PGP WDE Single Sign-On 153

Prerequisites for Using Single Sign-On 153

Encrypting the Disk to Use Single Sign-On 153

Multiple Users and Single Sign-On 154

Logging in with Single Sign-On 154

Changing Your Passphrase With Single Sign-On 154

Displaying the Windows Login dialog box 155

Maintaining the Security of Your Disk 155

Getting Disk or Partition Information 155

Adding Other Users to an Encrypted Disk or Partition 156

Deleting Users From an Encrypted Disk or Partition 157

Changing User Passphrases 157

Re-Encrypting an Encrypted Disk or Partition 158

If you Forgot Your Passphrase 159

v Contents

Backing Up and Restoring 160

Uninstalling PGP Desktop from Encrypted Disks or Partitions 161

Working with Removable Disks 161

Encrypting Removable Disks 161

Using Locked (Read-Only) Disks as Read-Only 162

Moving Removable Disks to Other Systems 163

Reformatting an Encrypted Removable Disk 163

Using PGP WDE in a PGP Universal Server-Managed Environment 163

PGP Whole Disk Encryption Administration 164

Creating a Recovery Token 165

Using a Recovery Token 165

Recovering Data From an Encrypted Drive 166

Creating and Using Recovery Disks 166

Decrypting a PGP WDE-Encrypted Disk 168

Special Security Precautions Taken by PGP Desktop 169

Passphrase Erasure 169

Virtual Memory Protection 169

Hibernation vs Standby 169

Memory Static Ion Migration Protection 169

Other Security Considerations 170

Using the Windows Preinstallation Environment 170

Using PGP Whole Disk Encryption with IBM Lenovo ThinkPad Systems 170

Using PGP Whole Disk Encryption with the Microsoft Windows XP Recovery Console 171

Using PGP Virtual Disks 173

About PGP Virtual Disks 173

Creating a New PGP Virtual Disk 174

Viewing the Properties of a PGP Virtual Disk 177

Finding PGP Virtual Disks 177

Using a Mounted PGP Virtual Disk 178

Mounting a PGP Virtual Disk 178

Unmounting a PGP Virtual Disk 179

Compacting a PGP Virtual Disk 179

Re-Encrypting PGP Virtual Disks 180

Working with Alternate Users 181

Adding Alternate User Accounts to a PGP Virtual Disk 181

Deleting Alternate User Accounts from a PGP Virtual Disk 181

Disabling and Enabling Alternate User Accounts 182

Changing Read/Write and Read-Only Status 182

Granting Administrator Status to an Alternate User 183

Changing User Passphrases 183

Deleting PGP Virtual Disks 184

Maintaining PGP Virtual Disks 184

Mounting PGP Virtual Disk Volumes on a Remote Server 184

Backing up PGP Virtual Disk Volumes 185

Exchanging PGP Virtual Disks 185

The PGP Virtual Disk Encryption Algorithms 186

Special Security Precautions Taken by PGP Virtual Disk 186

Passphrase Erasure 186

Virtual Memory Protection 187

Hibernation 187

Memory Static Ion Migration Protection 187

vi Contents

Other Security Considerations 187

Creating and Accessing Mobile Data with PGP Portable 189

Creating PGP Portable Disks 189

Creating a PGP Portable Disk from a Folder 190

Creating a PGP Portable Disk from a Removable USB Device 190

Creating Read/Write or Read-Only PGP Portable Disks 192

Accessing Data on a PGP Portable Disk 192

Changing the Passphrase for a PGP Portable Disk 194

Unmounting a PGP Portable Disk 194

Using PGP NetShare 197

About PGP NetShare 197

PGP NetShare Roles 199

Licensing PGP NetShare 200

Authorized User Keys 200

Using a Group Key 201

Establishing a PGP NetShare Admin (Owner) 202

"Blacklisted" and "Whitelisted" Files, Folders, and Applications 202

Blacklisted and Other Files You Cannot Protect 202

"Blacklisted" and "Whitelisted" Folders Specified by PGP Universal Server 203

Application-based Encryption and Decryption Bypass Lists 203

Working with Protected Folders 204

Choosing the Location for a Protected Folder 204

Creating a New PGP NetShare Protected Folder 206

Using Files in a PGP NetShare Protected Folder 208

Unlocking a Protected Folder 208

Determining the Files in a Protected Folder 209

Adding Subfolders to a Protected Folder 210

Checking Folder Status 210

Copying Protected Folders to Other Locations 211

Working with PGP NetShare Users 212

Adding a PGP NetShare User 212

Changing a User's Role 213

Deleting a User from a Protected Folder 214

Importing PGP NetShare Access Lists 215

Working with Active Directory Groups 215

Setting up PGP NetShare to Work with Groups 216

Adding an Active Directory Group to a Protected Folder 216

Refreshing Groups 217

Decrypting PGP NetShare-Protected Folders 217

Re-Encrypting a Folder 218

Clearing a Passphrase 219

Protecting Files Outside of a Protected Folder 219

Backing Up PGP NetShare-Protected Files 221

Accessing PGP NetShare Features using the Shortcut Menu 221

PGP NetShare in a PGP Universal Server-managed Environment 222

Accessing the Properties of a Protected File or Folder 222

Using the PGP NetShare Menus in PGP Desktop 223

The File Menu 223

The Edit Menu 224

Contents vii

The NetShare Menu 224

Using PGP Zip 225

Overview 225

Creating PGP Zip Archives 226

Encrypting to Recipient Keys 228

Encrypting with a Passphrase 229

Creating a PGP Self-Decrypting Archive (SDA) 231

Creating a Sign Only Archive 232

Opening a PGP Zip Archive 234

Opening a PGP Zip SDA 234

Editing a PGP Zip Archive 235

Verifying Signed PGP Zip Archives 236

Shredding Files with PGP Shredder 239

Using PGP Shredder to Permanently Delete Files and Folders 239

Shredding Files using the PGP Shredder Icon on Your Desktop 240

Shredding Files From Within PGP Desktop 240

Shredding Files in Windows Explorer 241

Using the PGP Shred Free Space Assistant 241

Scheduling Free Space Shredding 242

Storing Keys on Smart Cards and Tokens 245

About Smart Cards and Tokens 245

Compatible Smart Cards 246

Recognizing Smart Cards 248

Examining Smart Card Properties 248

Generating a PGP Keypair on a Smart Card 249

Copying your Public Key from a Smart Card to a Keyring 250

Copying a Keypair from Your Keyring to a Smart Card 251

Wiping Keys from Your Smart Card 252

Using Multiple Smart Cards 252

Setting PGP Desktop Options 255

Accessing the PGP Options dialog box 255

General Options 256

Keys Options 258

Master Keys Options 260

Messaging Options 261

Proxy Options 263

PGP NetShare Options 266

Disk Options 267

Notifier Options 270

Advanced Options 272

viii Contents

Working with Passwords and Passphrases 275

Choosing whether to use a password or passphrase 275

The Passphrase Quality Bar 276

Creating Strong Passphrases 277

What if You Forget Your Passphrase? 278

Using PGP Desktop with PGP Universal Server 279

Overview 279

For PGP Administrators 280

Manually binding to a PGP Universal Server 281

Using PGP Desktop with IBM Lotus Notes 283

About Lotus Notes and MAPI Compatibility 283

Using PGP Desktop with Lotus Notes 283

Sending email to recipients inside your Lotus Notes organization 283

Sending email to recipients outside your Lotus Notes organization 284

Binding to a PGP Universal Server 284

Pre-Binding 285

Manual Binding 285

Notes Addresses 285

Notes Client Settings 286

The Notes.ini Configuration File 286

Using Lotus Notes Native Encryption 286

Index 289

1 About PGP Desktop 10.2 for Windows PGP Desktop is a security tool that uses cryptography to protect your data against unauthorized access.

PGP Desktop protects your data while being sent by email or by instant messaging (IM). It lets you encrypt your entire hard drive or hard drive partition (on Windows systems)so everything is protected all the timeor just a portion of your hard drive, via a virtual disk on which you can securely store your most sensitive data. You can use it to share your files and folders securely with others over a network. It lets you put any combination of files and folders into an encrypted, compressed package for easy distribution or backup. Finally, use PGP Desktop to shred (securely delete) sensitive filesso that no one can retrieve themand shred free space on your hard drive, so there are no unsecured remains of any files.

Use PGP Desktop to create PGP keypairs and manage both your personal keypairs and the public keys of others.

To make the most of PGP Desktop, you should be familiar with PGP Desktop Terminology (on page 11). You should also understand conventional and public-key cryptography, as described in Conventional and Public Key Cryptography (on page 13).

In This Chapter

What's New in PGP Desktop Version 10.2 for Windows ........................................... 1

Using this Guide .............................................................................................................. 2

Who Should Read This Document ................................................................................ 4

About PGP Desktop Licensing ....................................................................................... 4

Technical Support ........................................................................................................... 7

What's New in PGP Desktop Version 10.2 for Windows Building on Symantec Corporations proven technology, PGP Desktop 10.2 for Windows includes numerous improvements and the following new and resolved features.

General Certificate enrollment. If you have an existing smart card or certificate, you can

now enroll to your PGP Universal Server using the certificate. This provides an additional way to enroll, in addition to email and LDAP enrollment. Applies to new users or users who need to re-enroll only. PGP Desktop for Windows only.

Certificate SSO. After enrolling to a PGP Universal Server, once you encrypt your disk you can then use your smart card at the PGP BootGuard screen for single sign-on directly into Windows. PGP Desktop for Windows only.

2 About PGP Desktop 10.2 for Windows

Using this Guide

Windows 2008 with Terminal Services. Windows 2008 Terminal Services (SP1 and SP 2) and Windows 2008 Terminal Services R2 (SP 1) have been added as system requirements for Citrix and Terminal Services environments. Refer to "Citrix and Terminal Services Compatibility" in the PGP Desktop for Windows release notes for more information.

Additional smart card readers. Added compatibility with Dell E6510/E6410 Broadcom smart card readers for post-boot authentication. PGP Desktop for Windows only.

Symantec identity branding. The user interface and all user assistance (including help and users guides) have been rebranded to include the Symantec logo and colors. All product names remain the same. PGP Desktop for Windows and PGP Desktop for Mac OS X.

Messaging Symantec PGP Viewer for iOS. A separate application for the iPhone and iPad that

you use to read encrypted email messages on your iOS mobile device. Available at no cost through the Apple App Store. Requires integration with PGP Universal Server to manage keys.

Microsoft Outlook 2010. PGP Desktop is now compatible with Microsoft Outlook 2010 64-bit. PGP Desktop for Windows only.

PGP NetShare PGP NetShare group keys. A single key that is shared by a group of users and is

used to encrypt or decrypt PGP NetShare-protected files and folders. The single group key reduces the overhead associated with encrypting a file/folder to a large number of keys. Any member of the group associated with the key can access protected folders/files encrypted to that group key. Group membership for the group key is controlled by your PGP Universal Server administrator and is used with Active Directory. PGP Desktop for Windows only.

PGP Whole Disk Encryption User name and domain in PGP BootGuard. If you are using PGP Desktop in a PGP

Universal Server-managed environment, your administrator can now require that you authenticate at PGP BootGuard with your user name and domain (on Windows systems) or user name (on Mac OS X systems). The PGP BootGuard screen displays fields for you to enter your user name, domain, and passphrase.

Intel PROset. Improved compatibility with Intel PROset software and single sign-on with PGP Whole Disk Encryption. PGP Desktop for Windows only.

Smart card readers. Added compatibility with Dell E6510/E6410 Broadcom smart card readers for pre-boot authentication. PGP Desktop for Windows only.

Using this Guide This Guide provides information on configuring and using the components within PGP Desktop. Each chapter of the guide is devoted to one of the components of PGP Desktop.

3 About PGP Desktop 10.2 for Windows Using this Guide

Managed versus Unmanaged Users A PGP Universal Server can be used to control the policies and settings used by components of PGP Desktop. This is often the case in enterprises using PGP software. PGP Desktop users in this configuration are known as managed users, because the settings and policies available in their PGP Desktop software are pre-configured by a PGP administrator and managed using a PGP Universal Server. If you are part of a managed environment, your company may have specific usage requirements. For example, managed users may or may not be allowed to send plaintext email, or may be required to encrypt their disk with PGP Whole Disk Encryption.

Users not under the control of a PGP Universal Server are called unmanaged or standalone users.

This document describes how PGP Desktop works in both situations; however, managed users may discover while working with the product that some of the settings described in this document are not available in their environments. For more information, see Using PGP Desktop with PGP Universal Server (on page 279).

Features Customized by Your PGP Universal Server Administrator

If you are using PGP Desktop as a "managed" user in a PGP Universal Server-managed environment, there are some settings that can be specified by your administrator. These settings may change the way features are displayed in PGP Desktop.

Disabled features. Your PGP Universal Server administrator can enable or disable specific functionality. For example, your administrator may disable the ability to create PGP Zip archives, or to create PGP NetShare protected folders (on Windows systems).

When a feature is disabled, the control item in the left side is not displayed and the menu for that feature is not available. The graphics included in this guide depict the default installation with all features enabled. The PGP Desktop interface may look different if your administrator has customized the features available.

Customized BootGuard. If you are using PGP Desktop in a PGP Universal Server-managed environment, your PGP administrator may have customized the PGP Whole Disk Encryption BootGuard screen to include additional text or a custom image such as your organization's logo. The graphics included in this guide depict the default installation. Your actual login screen may look different if your administrator has customized the screen.

Conventions Used in This Guide Notes, Cautions, and Warnings are used in the following ways.

Notes: Notes are extra, but important, information. A Note calls your attention to important aspects of the product. You will be able to use the product better if you read the Notes.

Cautions: Cautions indicate the possibility of loss of data or a minor security breach. A Caution tells you about a situation where problems could occur unless precautions are taken. Pay attention to Cautions.

4 About PGP Desktop 10.2 for Windows Who Should Read This Document

Warnings: Warnings indicate the possibility of significant data loss or a major security breach. A Warning means serious problems are going to happen unless you take the appropriate action. Please take Warnings very seriously.

Who Should Read This Document This document is for anyone who is going to be using the PGP Desktop for Windows software to protect their data.

About PGP Desktop Licensing A license is used within the PGP software to enable the functionality you purchased, and sets the expiration of the software. Depending on the license you have, some or all of the PGP Desktop family of applications will be active. Once you have entered the license, you must then authorize the software with Symantec Corporation, either manually or online.

There are three types of licenses:

Evaluation: This type of license is typically time-delimited and may not include all PGP Desktop functionality.

Subscription: This type of license is typically valid for a subscription period of one year. During the subscription period, you receive the current version of PGP software and all upgrades and updates released during this period.

Perpetual: This type of license allows you to use PGP Desktop indefinitely. With the addition of the annual Software Insurance policy, which must be renewed annually, you also receive all upgrades and updates released during the policy term.

Licensing PGP Desktop for Windows

To license PGP Desktop

Do one of the following:

If you are a managed user, you are most likely already using a licensed copy of PGP Desktop. Check your license details as described in Checking License Details (on page 5). If you have questions, please contact your PGP administrator.

If you are an unmanaged user, or a PGP administrator, check your license details as described in Checking License Details (on page 5). If you need to authorize your copy of PGP Desktop, do so as described in Authorizing PGP Desktop for Windows (on page 5).

5 About PGP Desktop 10.2 for Windows About PGP Desktop Licensing

Checking License Details

To see the details of your PGP Desktop license

1 Double-click the PGP Desktop icon in the system tray.

2 Select Help > License. The PGP Desktop License dialog box is displayed.

This dialog box displays the following details:

Item Description

License Type The name of the licensed product.

License Seats The number of seats available for this license.

License Expiration The date when the license will expire.

Product Information The components that are active in your license. Move your cursor over the product name to see information about the product and to find out if you are currently licensed to use it.

Note: If you do not authorize your copy of PGP Desktop, only limited features will be available to you (PGP Zip and Keys).

Authorizing PGP Desktop for Windows

If you need to change to a new license number, or if you skipped the license authorization process during configuration, follow these instructions to authorize your software.

To authorize PGP Desktop for Windows

If you purchased PGP Desktop, you received an order confirmation with licensing information.

1 Double-click the PGP Desktop icon in the System Tray.

2 Select Help > License. The PGP Desktop License dialog box is displayed.

3 Click Change License. The PGP Licensing Assistant dialog box is displayed.

6 About PGP Desktop 10.2 for Windows

About PGP Desktop Licensing

4 Type the Name and Organization exactly as specified in your order confirmation.

5 Type the email address you want to assign to the licensing of the product.

6 Type the email address again to confirm it.

7 Click Next.

8 Do one of the following:

Type your 28-character license number in the provided fields (for example, DEMO1-DEMO2-DEMO3-DEMO4-DEMO5-ABC).

Note: To avoid typing errors and make the authorization easier, copy the entire license number, put the cursor in the first License Number field, and paste. Your license number will be correctly entered into all six License Number fields.

To use PGP Desktop without a license, select Use without a license and disable most functionality. The only feature of PGP Desktop you can use without a license is PGP Zip and Keys.

9 Click Next to authorize.

10 When PGP is authorized, the features enabled by your license will be displayed. Click Next, and then click Finish to complete the process.

Resolving License Authorization Errors

If you receive any error messages while authorizing your software, the ways to resolve this issue vary based on the error message. See the HOWTO: License PGP Desktop 10.2 section in the PGP Support Portal (https://support.pgp.com) for suggestions.

If Your License has Expired If your PGP Desktop license has expired, you will receive a PGP License Expiration message when you launch PGP Desktop. See the following sections for information on how an expired license affects the functionality of PGP Desktop.

PGP Desktop Email Outgoing email messages are no longer sent encrypted.

PGP NetShare PGP NetShare protected folders can be accessed however the protected files

remain encrypted. (To view the encrypted files, manually decrypt the folders and files.)

New PGP NetShare protected folders cannot be created.

Files moved into a protected folder are not encrypted.

Keys cannot be added or removed from PGP NetShare protected folders.

https://support.pgp.com/

7 About PGP Desktop 10.2 for Windows Technical Support

PGP Remote Disable and Destroy When the disk is encrypted with PGP WDE and PGP RDD with Intel AT is

activated, the disk remains encrypted and PGP RDD with Intel AT remains activated after the license expiration date.

PGP Virtual Disk PGP Virtual Disks are still accessible in Read-Only mode. Read-Only allows data to

be copied from a PGP Virtual Disk, however no data can be copied to a PGP Virtual Disk.

PGP Whole Disk Encryption Any fixed disks that have been encrypted with PGP Desktop using an evaluation

license are automatically decrypted 90 days after the expiration of the evaluation.

Technical Support Symantec Technical Support maintains support centers globally. Technical Supports primary role is to respond to specific queries about product features and functionality. The Technical Support group also creates content for our online Knowledge Base. The Technical Support group works collaboratively with the other functional areas within Symantec to answer your questions in a timely fashion. For example, the Technical Support group works with Product Engineering and Symantec Security Response to provide alerting services and virus definition updates.

Symantecs support offerings include the following:

A range of support options that give you the flexibility to select the right amount of service for any size organization

Telephone and/or Web-based support that provides rapid response and up-to-the-minute information

Upgrade assurance that delivers software upgrades

Global support purchased on a regional business hours or 24 hours a day, 7 days a week basis

Premium service offerings that include Account Management Services

For information about Symantecs support offerings, you can visit our Web site at the following URL:

www.symantec.com/business/support/

All support services will be delivered in accordance with your support agreement and the then-current enterprise technical support policy.

Contacting Technical Support Customers with a current support agreement may access Technical Support information at the following URL:

www.symantec.com/business/support/

http://www.symantec.com/business/support/http://www.symantec.com/business/support/

8 About PGP Desktop 10.2 for Windows

Technical Support

Before contacting Technical Support, make sure you have satisfied the system requirements that are listed in your product documentation. Also, you should be at the computer on which the problem occurred, in case it is necessary to replicate the problem.

When you contact Technical Support, please have the following information available:

Product release level

Hardware information

Available memory, disk space, and NIC information

Operating system

Version and patch level

Network topology

Router, gateway, and IP address information

Problem description:

Error messages and log files

Troubleshooting that was performed before contacting Symantec

Recent software configuration changes and network changes

Licensing and registration If your Symantec product requires registration or a license key, access our technical support Web page at the following URL:

www.symantec.com/business/support/

Customer service Customer service information is available at the following URL:

www.symantec.com/business/support/

Customer Service is available to assist with non-technical questions, such as the following types of issues:

Questions regarding product licensing or serialization

Product registration updates, such as address or name changes

General product information (features, language availability, local dealers)

Latest information about product updates and upgrades

Information about upgrade assurance and support contracts

Information about the Symantec Buying Programs

Advice about Symantec's technical support options

Nontechnical presales questions

Issues that are related to CD-ROMs or manuals

http://www.symantec.com/business/support/http://www.symantec.com/business/support/

9 About PGP Desktop 10.2 for Windows Technical Support

Support agreement resources If you want to contact Symantec regarding an existing support agreement, please contact the support agreement administration team for your region as follows:

Asia-Pacific and Japan customercare_apac@symantec.com

Europe, Middle-East, Africa semea@symantec.com

North America, Latin America supportsolutions@symantec.com

mailto:customercare_apac@symantec.commailto:semea@symantec.commailto:supportsolutions@symantec.com

2 PGP Desktop Basics This section describes the PGP Desktop terminology and provides some high-level conceptual information on cryptography.

In This Chapter

PGP Desktop Terminology...........................................................................................11

Conventional and Public Key Cryptography .............................................................13

Using PGP Desktop for the First Time .......................................................................14

PGP Desktop Terminology To make the most of PGP Desktop, you should be familiar with the terms in the following sections.

PGP Product Components PGP Desktop and its components are described in the following list. Depending on your license, you may not have all functionality available. For more information, see About PGP Desktop Licensing (see "Licensing PGP Desktop for Windows" on page 4).

PGP Desktop: A software tool that uses cryptography to protect your data against unauthorized access. PGP Desktop is available for Mac OS X and Windows.

PGP Messaging: A feature of PGP Desktop that automatically and transparently supports all of your email clients through policies you control. PGP Desktop accomplishes this using a new proxy technology; the older plug-in technology is also available. PGP Messaging also protects many IM clients, such as AIM and iChat (both users must have PGP Messaging enabled).

PGP Whole Disk Encryption: Whole Disk Encryption is a feature of PGP Desktop that encrypts your entire hard drive or partition (on Windows systems), including your boot record, thus protecting all your files when you are not using them. You can use PGP Whole Disk Encryption and PGP Virtual Disk volumes on the same system. On Windows systems, you can protect whole disk encrypted drives with a passphrase or with a keypair on a USB token for added security.

PGP NetShare: A feature of PGP Desktop for Windows with which you can securely and transparently share files and folders among selected individuals. PGP NetShare users can protect their files and folders simply by placing them within a folder that is designated as protected.

PGP Keys: A feature of PGP Desktop that gives you complete control over both your own PGP keys, and the keys of those persons with whom you are securely exchanging email messages.

12 PGP Desktop Basics

PGP Desktop Terminology

PGP Virtual Disk volumes: PGP Virtual Disk volumes are a feature of PGP Desktop that let you use part of your hard drive space as an encrypted virtual disk. You can protect a PGP Virtual Disk volume with a key or a passphrase. You can even create additional users for a volume, so that people you authorize can also access the volume. The PGP Virtual Disk feature is especially useful on laptops, because if your computer is lost or stolen, the sensitive data stored on the PGP Virtual Disk is protected against unauthorized access.

PGP Shred: A feature of PGP Desktop that lets you securely delete data from your system. PGP Shred overwrites files so that even file recovery software cannot recover them.

PGP Viewer: Use PGP Viewer decrypt, verify, and display messages outside the mail stream

PGP Zip: A feature of PGP Desktop that lets you put any combination of files and folders into a single encrypted, compressed package for convenient transport or backup. You can encrypt a PGP Zip archive to a PGP key or to a passphrase.

PGP Universal: A tool for enterprises to automatically and transparently secure email messaging for their employees. If you are using PGP Desktop in a PGP Universal Server-managed environment, your messaging policies and other settings may be controlled by your organizations PGP administrator.

PGP Global Directory: A free, public keyserver hosted by Symantec Corporation. The PGP Global Directory provides quick and easy access to the universe of PGP keys. It uses next-generation keyserver technology that queries the email address on a key (to verify that the owner of the email address wants their key posted) and lets users manage their own keys. Using the PGP Global Directory significantly enhances your chances of finding a valid public key of someone to whom you want to send secured messages. PGP Desktop is designed to work closely with the PGP Global Directory.

Terms Used in PGP Desktop Before you use PGP Desktop, you should be familiar with the following terms:

Decrypting: The process of taking encrypted (scrambled) data and making it meaningful again. When you receive data that has been encrypted by someone using your public key, you use your private key to decrypt the data.

Encrypting: The process of scrambling data so that if an unauthorized person gets access to it, they cannot do anything with it. The data is so scrambled, its meaningless.

Signing: The process of applying a digital signature to data using your private key. Because data signed by your private key can be verified only by your public key, the ability to verify signed data with your public key proves that your private key signed the data and thus proves the data is from you.

Verifying: The process of proving that the private key was used to digitally sign data by using that persons public key. Because data signed by a private key can only be verified by the corresponding public key, the fact that a particular public key can verify signed data proves the signer was the holder of the private key.

13 PGP Desktop Basics Conventional and Public Key Cryptography

Keypair: A private key/public key combination. When you create a PGP key, you are actually creating a keypair. As your keypair includes your name and your email address, in addition to your private and public keys, it might be more helpful to think of your keypair as your digital IDit identifies you in the digital world as your drivers license or passport identifies you in the physical world.

Private key: The key you keep very, very private. Only your private key can decrypt data that was encrypted using your public key. Also, only your private key can create a digital signature that your public key can verify.

Caution: Do not give your private key, or its passphrase, to anyone! And keep your private key safe.

Public key: The key you distribute to others so that they can send protected messages to you (messages that can only be decrypted by your private key) and so they can verify your digital signature. Public keys are meant to be widely distributed.

Your public and private keys are mathematically related, but theres no way to figure out your private key if someone has your public key.

Keyserver: A repository for keys. Some companies host keyservers for the public keys of their employees, so other employees can find their public keys and send them protected messages. The PGP Global Directory (https://keyserver.pgp.com) is a free, public keyserver hosted by Symantec Corporation.

Smart cards and tokens: Smart cards and tokens are portable devices on which you can create your PGP keypair or copy your PGP keypair. Creating your PGP keypair on a smart card or token adds security by requiring possession of the smart card or token in order to encrypt, sign, decrypt, or verify. So even if an unauthorized person gains access to your computer, your encrypted data is secure because your PGP keypair is with you on your smart card or token. Copying your PGP keypair to a smart card or token is a good way to use it away from your main system, back it up, and distribute your public key. Smart cards and tokens are not available for key storage when used with PGP Desktop for Mac OS X.

Conventional and Public Key Cryptography Conventional cryptography uses the same passphrase to encrypt and decrypt data. Conventional cryptography is great for data that isnt going anywhere (because it encrypts and decrypts quickly). However, conventional cryptography is not as well suited for situations where you need to send encrypted data to someone else, especially if you want to send encrypted data to someone you have never met.

Public-key cryptography uses two keys (called a keypair) for encrypting and decrypting. One of these two keys is your private key; and, like the name suggests, you need to keep it private. Very, very private. The other key is your public key, and, like its name suggests, you can share it with the general public. In fact, youre supposed to share.

Public-key cryptography works this way: lets say you and your cousin in another city want to exchange private messages. Both of you have PGP Desktop. First, you both need to create your keypair: one private key and one public key. Your private key you keep secret, your public key you send to a public keyserver like the PGP Global Directory (keyserver.pgp.com), which is a public facility for distributing public keys. (Some companies have their own private keyservers.)

https://keyserver.pgp.com/

14 PGP Desktop Basics Using PGP Desktop for the First Time

Once the public keys are on the keyserver, you can go back to the keyserver and get your cousins public key, and she can go to the keyserver and get yours (there are other ways to exchange public keys; for more information, see Working with PGP Keys (on page 35)). This is important because to send an encrypted email message that only your cousin can decrypt, you encrypt it using your cousins public key. What makes this work is that only your cousins private key can decrypt a message that was encrypted using her public key. Even you, who have her public key, cannot decrypt the message once it has been encrypted using her public key. Only the private key can decrypt data that was encrypted with the corresponding public key.

Your public and private keys are mathematically related, but theres no feasible way to figure out someones private key if you just have a public key.

Using PGP Desktop for the First Time Symantec Corporation recommends the following procedure for getting started with PGP Desktop:

1 Install PGP Desktop on your computer.

If you are a corporate user, your PGP administrator may have specific installation instructions for you to follow or may have configured your PGP installer with certain settings. Either way, this is the first step.

2 Let the Setup Assistant be your guide.

To help you get started, after you install PGP Desktop and reboot your computer, the Setup Assistant is displayed. It assists with:

Licensing PGP Desktop

Creating a keypairwith or without subkeys (if you do not already have a keypair).

Publishing your public key on the PGP Global Directory.

Enabling PGP Messaging

Giving you a quick overview of other features.

If your PGP Desktop installer application was configured by a PGP administrator, the Setup Assistant may perform other tasks.

3 Exchange public keys with others.

After you have created a keypair, you can begin sending and receiving secure messages with other PGP Desktop users (once you have exchanged public keys with them). You can also use the PGP Desktop disk-protection features.

Exchanging public keys with others is an important first step. To send them secure messages, you need a copy of their public key, and to reply with a secure message, they need a copy of your public key. If you did not upload your public key to the PGP Global Directory using the Setup Assistant, do so now. If you do not have the public key for someone to whom you want to send messages, the PGP Global Directory is the first place to look. PGP Desktop does this for youwhen you send email, it finds and verifies the keys of other PGP Desktop users automatically. It then encrypts your message to the recipient public key, and sends the message.

4 Validate the public keys you get from untrusted keyservers.

15 PGP Desktop Basics Using PGP Desktop for the First Time

When you get a public key from an untrusted keyserver, try to make sure that it has not been tampered with, and that the key really belongs to the person it names. To do this, use PGP Desktop to compare the unique fingerprint on your copy of someones public key to the fingerprint on that persons key (a good way to do that is by telephoning the keys owner and having them read you the fingerprint information so that you can compare it). Keys from trusted keyservers like the PGP Global Directory have already been verified.

5 Start securing your email, files, and instant message (IM) sessions.

After you have generated your keypair and exchanged public keys, you can begin encrypting, decrypting, signing, and verifying email messages and files. The secure IM chat session feature generates its own keys automatically, so you can use this feature even before you generate your keypair. The only requirement is that you must be chatting with another PGP Desktop user for the chat session to be secured.

6 Watch for information boxes from the PGP Desktop Notifier feature to appear.

As you send or receive messages, or perform other PGP Desktop functions, the PGP Desktop Notifier feature displays information boxes that appear in whichever corner of the screen you specify. These PGP Notifier boxes tell you the action that PGP Desktop took, or will take. After you grow familiar with the process of sending and receiving messages, you can change options for the PGP Notifier featureor turn it off.

7 After you have sent or received some messages, check the logs to make sure everything is working correctly.

If you want more information than the Notifier feature displays, the PGP Log provides detailed information about all messaging operations.

8 Modify your messaging policies, if necessary.

Email messages are sent and receivedautomatically and seamlesslyif PGP Desktop messaging policies are configured correctly. If your message recipient has a key on the PGP Global Directory the default PGP Desktop policies provide opportunistic encryption. Opportunistic encryption means that, if PGP Desktop has what it needs (such as the recipient's verified public key) to encrypt the message automatically, then it does so. Otherwise, it sends the message in clear text (unencrypted). The default PGP Desktop policies also provide optional forced encryption. This means that, if you include the text [PGP] in the Subject line of a message, then the message must be sent securely. If verified keys cannot be found, then the message is not sent, and a Notifier box alerts you.

9 Start using the other features in PGP Desktop.

Along with its messaging features, you can also use PGP Desktop to secure the disks that you work with:

Use PGP Whole Disk Encryption to encrypt a boot disk, disk partition (on Windows systems), external disk, or USB thumb drive. All files on the disk or partition are secured encrypted and decrypted on the fly as you use them. The process is completely transparent to you.

Use PGP Virtual Disk to create a secure virtual hard disk. You can use this virtual disk like a bank vault for your files. Use PGP Desktop or Windows Explorer or the Mac OS X finder to unmount and lock the virtual disk, and your files are secure, even if the rest of your computer is unlocked.

Use PGP Zip to create compressed and encrypted PGP Zip archives. These archives offer an efficient way to transport or store files securely.

16 PGP Desktop Basics Using PGP Desktop for the First Time

Use PGP Shredder to delete sensitive files that you no longer need. PGP Shredder removes them completely, eliminating any possibility of recovery.

Use PGP NetShare to share files and folders securely and easily among any number of peoplewith maximum access control.

3 Installing PGP Desktop This section describes how to install PGP Desktop onto your computer and how to get started after installation.

In This Chapter

Before You Install ..........................................................................................................17

Installing and Configuring PGP Desktop...................................................................19

Uninstalling PGP Desktop ...........................................................................................22

Moving Your PGP Desktop Installation From One Computer to Another............22

Before You Install This section describes the minimum system requirements for installing PGP Desktop on your Windows computer.

System Requirements

Note: In order to continue to improve our products and deliver more sophisticated features and performance, we have added support of the Microsoft Windows 7 operating systems in PGP Desktop 10.0. As a result, we are ending PGP Desktop support for Microsoft Windows 2000 Professional and Microsoft Windows 2000 Server & Advanced Server beginning with PGP Desktop 10.1.

Before you begin the installation, verify that your system meets these minimum requirements:

PGP Desktop can be installed on systems running the following versions of Microsoft Windows operating systems:

Windows XP Professional 32-bit (Service Pack 2 or 3), Windows XP Professional 64-bit (Service Pack 2), Windows XP Home Edition (Service Pack 2 or 3), Microsoft Windows XP Tablet PC Edition 2005 SP2, Windows Vista (all 32- and 64-bit editions, including Service Pack 2), Windows 7 (all 32- and 64-bit editions, including Service Pack 1), Windows Server 2003 (Service Pack 1 and 2).

The above operating systems are supported only when all of the latest hot fixes and security patches from Microsoft have been applied.

Note: PGP Whole Disk Encryption (PGP WDE) is not compatible with other third-party software that could bypass the PGP WDE protection on the Master Boot Record (MBR) and write to or modify the MBR. This includes such off-line defragmentation tools that bypass the PGP WDE file system protection in the OS or system restore tools that replace the MBR.

18 Installing PGP Desktop Before You Install

PGP Whole Disk Encryption on Windows Servers PGP Whole Disk Encryption (WDE) is supported on all client versions above as well as the following Windows Server versions:

Windows Server 2003 SP 2 (32- and 64-bit editions); Windows Server 2008 64-bit SP 1 and 2; Windows Server 2008 R2 64-bit

VMWare ESXi4 (supported Microsoft Windows Servers operating in a virtual environment)

For additional system requirements and best practices information on using PGP WDE on Windows Server systems, see PGP KB article 1737 (http://support.pgp.com/?faq=1737).

PGP Whole Disk Encryption on Tablet PCs PGP Whole Disk Encryption is supported on Tablet PCs that meet the following additional requirements:

Dell Latitude XT1 and XT2 Tablet PC Touch Screen Laptops (undocked)

1024 x 768 x 16 screen display running SVGA mode

Optional physical keyboard

Hardware Requirements 512 MB of RAM

64 MB hard disk space

For information on compatible email, instant messaging, and anti-virus software, see the PGP Desktop10.2 for Windows Release Notes.

Citrix and Terminal Services Compatibility PGP Desktop for Windows has been tested with the following terminal services software:

Citrix Presentation Server 4.0

Citrix Metaframe XP

Windows 2003 Terminal Services

Windows 2008 Terminal Services (SP1 and SP 2)

Windows 2008 Terminal Services R2 (SP 1)

The following features of PGP Desktop for Windows are available in these environments, as specified:

Email encryption is fully supported.

PGP Zip functionality is fully supported.

PGP Shred functionality is fully supported.

PGP NetShare is fully supported.

http://support.pgp.com/?faq=1737

19 Installing PGP Desktop Installing and Configuring PGP Desktop

PGP Virtual Disks cannot be mounted at a drive letter over Citrix/TS, but can be mounted at directory mount points on NTFS volumes.

PGP Whole Disk Encryption is not supported.

For information on how to install PGP Desktop on a Citrix server, see PGP Support KB Article 832 (https://support.pgp.com/?faq=832).

Installing and Configuring PGP Desktop This section includes information on installing or upgrading PGP Desktop, as well as information on the Setup Assistant.

Installing the Software

Note: You must have administrative rights on your system in order to install PGP Desktop.

To install PGP Desktop on your Windows system

1 Locate the PGP Desktop installation program. The installer program is an .MSI file, which your PGP administrator may have distributed to you using the Microsoft SMS deployment tool.

2 Double-click the PGP Desktop installer.

3 Follow the on-screen instructions.

4 If prompted to do so, restart your system.

Note: If you are in a domain protected by a PGP Universal Server, your PGP administrator may have preconfigured your PGP Desktop installer with specific features and/or settings. In addition, if your PGP administrator set up silent enrollment, your Windows domain password will be used for all passphrase requirements in PGP Desktop. If specified by policy, PGP Whole Disk Encryption may automatically start to encrypt your disk when your Windows password is entered.

Upgrading the Software

Note: PGP Desktop for Windows and PGP Universal Satellite for Windows cannot both be installed on the same system. The installation programs for both products detect the presence of the other program and end the installation process if the other product is found.

You can upgrade to PGP Desktop for Windows from a previous version of one of the following products:

PGP Desktop for Windows

PGP Universal Satellite for Windows

https://support.pgp.com/?faq=832

20 Installing PGP Desktop

Installing and Configuring PGP Desktop

If you are using Microsoft Windows XP with your computer, you can upgrade only to PGP Desktop 9.6 or later from PGP Desktop 8.x. If you are using a Microsoft Windows 2000 system, you can upgrade from PGP Desktop Versions 6.x, 7.x, or 8.x.

Important Note: If you are upgrading your computer to a new version of the operating system and want to use this version of PGP Desktop, be sure to uninstall any previous versions of PGP Desktop before upgrading the OS and installing this release. Be sure to back up your keys and keyrings before uninstalling. Note that if you have used PGP Whole Disk Encryption, you will need to unencrypt your disk before you can uninstall PGP Desktop.

Upgrading PGP Desktop Do one of the following:

From PGP Desktop 8.x for Windows: Follow the standard installation process for PGP Desktop 10.2 for Windows.

PGP Desktop for Windows 8.x is automatically uninstalled, and PGP Desktop 10.2 for Windows is installed. Existing keyrings and PGP Virtual Disk files are usable in the upgraded version.

From a version of PGP Desktop for Windows prior to 8.0: Manually uninstall versions of PGP Desktop prior to 8.0 before beginning the installation of PGP Desktop 10.2 for Windows. Existing keyrings and PGP Virtual Disk files will be usable in the upgraded version.

Upgrading from PGP Universal Satellite Do one of the following:

From PGP Universal Satellite 1.2 for Windows or previous: Follow the installation process for PGP Desktop 10.2 for Windows.

Existing versions of PGP Universal Satellite for Windows are automatically uninstalled, and PGP Desktop 10.2 for Windows will be installed. Existing settings will be retained.

Caution: Installing any version of PGP Universal Satellite on top of PGP Desktop 10.2 for Windows is an unsupported configuration. Neither program will work correctly. Uninstall both programs and then install only PGP Desktop.

From PGP Desktop for Windows (Version 8.x) and PGP Universal Satellite: Follow the installation process for PGP Desktop 10.2 for Windows.

PGP Desktop and PGP Universal Satellite for Windows are automatically uninstalled, and then PGP Desktop 10.2 for Windows is installed. Existing keyrings and PGP Virtual Disk files are usable in the upgraded version.

Checking for Updates

Note: The option to automatically check for updates is no longer available in PGP Desktop, starting with version 10.1. To check for an update or to install an update, you must manually download the file.

21 Installing PGP Desktop Installing and Configuring PGP Desktop

With the acquisition of PGP Corporation by Symantec Corporation, PGP operations is in the process of integrating with Symantec operations. When checking to see if there are updates, or to download an update, use the second download link if the first link does not appear operational.

To upgrade PGP Desktop, do the following:

Go to the PGP License and Entitlement Management System (LEMS) and log in (https://lems.pgp.com/account/login). If the update for PGP Desktop is not available, then

Go to Symantec FileConnect (https://fileconnect.symantec.com/), select your language, and enter your serial number.

Upgrading From Standalone to Managed PGP Desktop Installations

If you have been using PGP Desktop in standalone mode and now will be managed by a PGP Universal Server, you must install a bound and stamped version of PGP Desktop over your existing, standalone installation. You must also complete the enrollment process. Your PGP Administrator will provide an installation file so you can install a bound and stamped version.

Upgrading the Operating System Software

If you are upgrading your computer to a new major release of the operating system (for example, on a Windows system to Windows Vista or on a Mac OS X system from 10.4.x to 10.5.x), be sure to do the following:

1 Back up your keys and keyrings before uninstalling.

2 If you have used PGP Whole Disk Encryption, decrypt your disk before you uninstall PGP Desktop.

3 Uninstall any previous versions of PGP Desktop before upgrading to the new version of the operating system.

4 Once you have upgraded your version of the operating system, reinstall PGP Desktop. Import your keys/keyring and, if necessary, you can then encrypt your disk.

Licensing PGP Desktop For license information for this release, see the PGP Desktop Release Notes.

Running the Setup Assistant When the installation of PGP Desktop is complete, you are prompted to restart your computer. Once the computer restarts, as soon as you see the Windows Desktop, the PGP Desktop Setup Assistant starts automatically. The Setup Assistant displays a series of screens that ask you questionsthen uses your answers to configure PGP Desktop for you.

https://lems.pgp.com/account/loginhttps://fileconnect.symantec.com/

22 Installing PGP Desktop

Uninstalling PGP Desktop

Based on a number of factors, the Setup Assistant for your system contains only those screens that are appropriate for your installation.

The Setup Assistant does not configure all PGP Desktop settings. When you finish going through the Setup Assistant screens, you can then configure those settings not covered in the Setup Assistant.

Uninstalling PGP Desktop You can uninstall PGP Desktop using the PGP Desktop uninstaller, or by using Windows' Add or Remove Programs feature. The following procedure describes using the PGP Desktop uninstaller directly.

If you are upgrading from PGP Desktop 8.x or later, you do not have to uninstall PGP Desktop first. For more information, see Upgrading the Software (on page 19).

Note: You must have administrative rights on your system in order to uninstall PGP Desktop.

To uninstall PGP Desktop

1 Click the Start menu and select Programs > PGP > Uninstall PGP Desktop. A confirmation dialog box is displayed.

2 Click Yes to continue with the uninstall process. The PGP Desktop software is removed from your system.

Keyring, PGP Virtual Disk, and PGP Zip (.pgp) files are not removed from your system, in case you decide to reinstall PGP Desktop in the future.

3 If prompted, restart your computer to complete the uninstall process.

Note: An alternative to uninstalling PGP Desktop is stopping PGP Desktop background services. Doing this prevents PGP Desktop from protecting your email and instant messages, but both PGP Virtual Disk volumes and disks or partitions protected by PGP Whole Disk Encryption are still accessible. If you just need to turn off the PGP Desktop email or IM proxies, you can do that in the PGP Options dialog box (select Tools > Options, click the Messaging tab, and deselect the options as needed).

Moving Your PGP Desktop Installation From One Computer to Another

Moving a PGP Desktop installation from one computer to another is not a difficult process, although there are a few crucial steps which must be completed successfully. The process consists of the following steps:

23 Installing PGP Desktop Moving Your PGP Desktop Installation From One Computer to Another

To transfer your PGP Desktop installation to another computer

1 Uninstall PGP Desktop. To do this, choose Start > Programs > PGP > Uninstall PGP Desktop. You can also use the Add/Remove Programs functionality in the Windows Control Panel, which is the only way to remove PGP Desktop if you are running an older version of the program.

Note that this step does not remove the keyring files.

2 Transfer the keyrings. To do this, copy the keyring files (both pubring.pkr and secring.skr) from the old computer to diskette or other removable media, and then copy them to the new computer. The default location for the keyring files is C:\Documents and Settings\\My Documents\PGP\.

If PGP Desktop has never been installed on the new computer, create this folder first before copying the keyring files to the computer.

3 Install PGP Desktop on the new computer. To do this, download PGP Desktop by clicking the download link in your original Symantec Corporation order confirmation email.

4 During the installation process, do the following:

During the PGP Desktop setup wizard on the new computer select No, I have existing keyrings and specify the location where you copied the keyring files to on the new computer.

Use the same name, organization, and license number used when PGP Desktop was originally authorized.

4 The PGP Desktop User Interface This section describes the PGP Desktop user interface.

In This Chapter

Accessing PGP Desktop Features................................................................................25

PGP Desktop Notifier alerts.........................................................................................30

Viewing the PGP Log.....................................................................................................34

Accessing PGP Desktop Features There are four main ways to access PGP Desktop features:

PGP Desktop Main Window (see "The PGP Desktop Main Screen" on page 26)

PGP Tray Icon (see "Using the PGP Tray Icon" on page 27)

Shortcut Menus in Windows Explorer (see "Using Shortcut Menus in Windows Explorer" on page 28)

Start Menu (see "Using the Start Menu" on page 29)

26 The PGP Desktop User Interface Accessing PGP Desktop Features

The PGP Desktop Main Screen The main screen of PGP Desktop is your primary interface to the product.

The PGP Desktop main screen includes:

1 The Menu bar. Gives you access to PGP Desktop commands. The menus on the Menu bar change depending on which Control box is selected.

2 The PGP Keys Control Box. Gives you control of PGP keys.

3 The PGP Messaging Control Box. Gives you control over PGP Messaging.

4 The PGP Zip Control Box. Gives you control of PGP Zip, as well as the PGP Zip Assistant, which helps you create new PGP Zip archives.

5 The PGP Disk Control Box. Gives you control of PGP Disk.

6 The PGP Viewer Control Box. Gives you the ability to decrypt, verify, and display messages outside the mail stream.

7 The PGP NetShare Control Box. Gives you control of PGP NetShare.

8 The PGP Desktop Work area. Displays information and actions you can take for the selected Control box.

9 PGP Keys Find box. Use to search for keys on your keyring. As you type text in this box, PGP Desktop displays search results based on either name or email address.

Each Control box expands to show available options, and collapses to save space (only the Control Boxs banner displays). Expand a Control Box by clicking its banner.

27 The PGP Desktop User Interface Accessing PGP Desktop Features

When expanded, the contents of Control Boxes change depending on what is appropriate for what you are working on, or what is selected. For example, when the PGP Keys Control Box is selected, if a public key is selected, the options Email this Recipient and Email this Key appear at the bottom of the PGP Keys Control Box. If a private key is selected, only Email this Key is displayed. If no key is selected, neither option is displayed.

To navigate around the PGP Desktop main screen, use the Tab key. Then use the Space key or Enter to select an option.

Note: Click Email this Recipient to open your systems default email client and create a new email using the address of the selected key. This makes it easy to send a message to someone on your keyring. Click Email this Key to open your systems default email client and create a new email with the selected public key attached (the message is not addressed). This is useful for sending your public key, or a public key on your keyring, to someone who does not already have it.

Using the PGP Tray Icon One way to access many PGP Desktop features is from the PGP Tray icon.

Tip: You can open PGP Desktop by double-clicking the PGP Tray icon.

The PGP Tray displays one of four icons:

Normal operation ( ): PGP Desktop is operating normally; no passphrases are cached, message proxying is enabled, no other PGP operations are in progress.

Cached passphrase ( ): PGP Desktop is operating normally; additionally, one or more private key passphrases has been cached. Caching passphrases is an optional time-saving feature, in that you dont have to type your passphrase if its cached to sign a key, for example, but its also a security risk in that if you leave your system with the passphrase cached, whoever walks up to your system could use PGP Desktop without having to type the appropriate passphrase.

Message proxying disabled ( ): Proxying of email messages has been disabled; incoming encrypted messages will not be decrypted or verified and outgoing messages will not be encrypted or signed. You can turn message proxying back on using the PGP Tray menu or the PGP Options.

Busy ( ): PGP Desktop is in the middle of an operation, such as encrypting a disk. When the operation is complete, the PGP Tray icon changes back to the appropriate icon.

When you right- or left-click on the PGP Tray icon, a menu is displayed giving you access to various options. Note that not all options may be available, depending on if you are a standalone or managed installation.

Exit PGP Services. Stops PGP Desktop services on this computer. Be very careful with this command; it will stop automatic encryption and decryption of email and instant messaging sessions.

28 The PGP Desktop User Interface

Accessing PGP Desktop Features

If you stop the PGP Services, you can start them again by restarting your computer or by selecting PGP Desktop from the Start menu (Start > Programs > PGP > PGP Desktop).

About PGP Desktop. Displays information about the version of PGP Desktop you are using, including licensing information.

Help. Opens PGP Desktops integrated online help.

Options. Opens the PGP Desktop Options dialog.

View Notifier. Displays the last incoming and outgoing message notifiers.

View PGP Log. Displays the PGP Desktop Log. Use the PGP Desktop Log to see what actions PGP Desktop is taking to secure your data.

Open PGP Viewer. Opens PGP Viewer so you can decrypt email out of the mail stream.

Open PGP Desktop. Opens the PGP Desktop main screen. You can also open PGP Desktop by double-clicking the PGP Desktop Tray icon.

Update Policy. Manually downloads policy from the PGP Universal Server. This option is available only for managed installations.

Clear Caches. Clears from memory any cached information, such as passphrases and cached public keys.

Note: A cached passphrase is not cleared if you used a smart card or token to access a PGP NetShare protected folder, and removed the smart card or token. To clear a cached passphrase, create a hot key. For more information, see Advanced Options (on page 272).

Unmount PGP Virtual Disks. Unmounts all mounted PGP Virtual Disk volumes.

Current Window. Lets you use PGP Desktop functionality (Decrypt & Verify, Encrypt & Sign, Sign, Encrypt) on the contents of the current window.

Clipboard. Lets you use PGP Desktop functionality (Decrypt & Verify, Encrypt & Sign, Sign, Encrypt) on the contents of the Clipboard. Also lets you clear or edit the contents of the Clipboard.

Using Shortcut Menus in Windows Explorer Windows Explorer gives you access to PGP Desktop functions depending on the item that you right-clicked:

Drive. If you right-click a drive on your system in Windows Explorer and select PGP Desktop from the menu displayed, you can do the following to the drive:

PGP Shred Free Space on it

PGP Virtual Disk. If you right-click a mounted PGP Virtual Disk drive on your system in Windows Explorer and select PGP Desktop from the menu displayed, you can do the following to the drive:

Unmount the PGP Virtual Disk

Locate the PGP Virtual Disk file (.pgd) in Windows Explorer

Edit the PGP Virtual Disk properties

29 The PGP Desktop User Interface Accessing PGP Desktop Features

If you right-click the PGP Virtual Disk file (.pgd) in Windows Explorer for an unmounted disk, and select PGP Desktop from the menu displayed, you can also do the following:

Compact unused space

Use PGP Shred to securely delete the PGP Virtual Disk (note that this also deletes all data on the disk)

Re-encrypt the PGP Virtual Disk

Folder. If you right-click a folder in Windows Explorer and select PGP Desktop from the menu displayed, you can do the following to the folder:

Add to new PGP Zip

Create Self-Decrypting Archive of the contents in the folder

Secure with a key or passphrase

Decrypt & Verify it

Add it to PGP NetShare

Shred it

File. If you right-click a file in Windows Explorer and select PGP Desktop from the menu displayed, you can do the following to the file, depending on what kind of file it is:

If you select an unencrypted file, you can Secure it with a key or passphrase, Sign, Shred, or Create a Self-Decrypting Archive

If you select an encrypted file, you can decrypt/verify or Shred it

If you select an unmounted PGP Virtual Disk volume (.pgd), you can mount or edit it; if you select a mounted volume, you can unmount it

If you select a PGP Zip (.PGP) file, you can Decrypt & Verify it, View it, or Shred it

If you select a PGP key file (.asc), you can decrypt/verify or Shred it. If you select decrypt/verify, you are given the option of importing the file

If you select a PGP public or private keyring file (PKR or SKR files, respectively), you can add the keys in it to your keyring or Shred it

Using the Start Menu You can access PGP Desktop through the Windows Start menu. To do this, select Start > Programs > PGP.

The Start menu provides you with access to:

PGP Desktop documentation in English and other supported languages

The PGP Desktop application

Uninstalling PGP Desktop

30 The PGP Desktop User Interface PGP Desktop Notifier alerts

PGP Desktop Notifier alerts The PGP Desktop Notifier feature displays a small information box that tells you the status of incoming and outgoing email messages, as well as instant messaging sessions.

Note: The PGP Desktop Notifier feature also displays the status of the PGP Whole Disk Encryption and PGP NetShare features on your computer. For more information, see PGP Desktop Notifier for Disk features (on page 32).

In a PGP Universal Server-managed environment, your administrator may have specified certain notifications settings (for example, whether notifications are to be displayed or the location of the notifier). In this case, you may not see any notifier messages at all.

PGP Desktop Notifier for Messaging Use the PGP Desktop Notifier for Messaging feature to:

See if an incoming email is properly decrypted and/or signed.

See if an outgoing email is properly encrypted and/or signed.

Stop an email message from being sent if the encryption options are not what you want.

View a quick summary of the sender, subject, and encryption key of an email.

Review, at any time, the status of previous incoming or outgoing messages for that Windows session.

See that a chat session with another PGP Desktop user is being secured.

Use the PGP Desktop Notifier feature to monitor all or some of your incoming email, as well as maintain precise control over all or some of your outgoing messages. The choice is yours. You can set various Notifier options, or turn the PGP Desktop Notifier feature completely off if you prefer.

Some additional points about the PGP Desktop Notifier feature:

For message notifications, use the left and right arrow buttons in the upper-right corner of the Notifier box to scroll Notifier messages forward or backward. This way, you can review messages that came before or after the message you are viewing currently.

When they first display, Notifier message boxes have a partially transparent appearance to prevent obscuring anything on your screen. Notifier message boxes become opaque if you move your cursor over them, and become translucent again when you move your cursor away from them.

Unless the cursor is over them, Notifier messages display for four seconds (this default setting can be changed in the Notifier options). If you want more time to read a Notifier, move your cursor over the Notifier and it remains on your display.

If you completely miss reading a Notifier, or you would like to review previous ones, do the following:

On Windows systems, choose View Notifier from the PGP Tray icon.

31 The PGP Desktop User Interface PGP Desktop Notifier alerts

On Mac OS X systems, choose View Notifier from the PGP Desktop icon in the Mac OS X Menu Bar.

Close a Notifier message by clicking the X (in the upper right corner of the message on Windows systems, in the upper left corner on Mac OS X systems).

For more information about setting PGP Desktop Notifier options, see Notifier Options (on page 270).

Incoming PGP Desktop Notifier Messages

Notifications for incoming email provide information on whether the email was decrypted and verified, or decrypted and signed by an unverified or unknown key.

Outgoing PGP Desktop Notifier Messages

For simple notification, choose to have a PGP Desktop Notifier appear momentarily when email is sent (all email, or email meeting certain criteria).

You can also set PGP Desktop to include Block and Send buttons in the Notifier box.

To manage the outgoing email with this Notifier

1 In the PGP Outgoing Message Notifier box, do the following:

To stop this email message from being sent, click Block. Note this blocks only this outgoing email message; future email messages to this sender can be sent.

To send this message, even though the recipients key cannot be found, click Send.

To continue to delay a message from being processed, hover your cursor over the Notifier box. When you move your cursor away from the Notifier box, the message is then processed using the default rule.

In Notifier options, the Delay outbound mail for setting specifies how long (in seconds) the Notifier gives you before it sends the mail without your intervention. The Notifier displays a countdown before it sends your mail.

2 To view additional information, including the Action, Recipient, Policy, and Signing Key, click More.

It is not necessary for you to view this additional information unless you want to see it. To hide it again, click Less.

Outgoing PGP Desktop Notifier Messages for Offline Policy

If you are using PGP Desktop in a PGP Universal Server-managed environment, your administrator may have specified what actions to take on outgoing messages if the PGP Universal Server is not available. The outgoing notifier message indicates one of the following:

Your PGP Universal Server is not available and policy has been set to block all messages. Email messages remain in your outbox and are sent when the PGP Universal Server can be contacted.

32 The PGP Desktop User Interface PGP Desktop Notifier alerts

Your PGP Universal Server is not available and policy has been set to send all messages in the clear.

Your PGP Universal Server is not available and policy has been set to allow your local policy to take precedence.

In the latter two cases, you can choose to send or block the outgoing message as you would any other outgoing message.

PGP Notifier for Instant Messaging

If you have PGP Desktop installed on your computer, and if you have specified to receive Notifiers for Instant Messaging (under the Notifications tab in PGP Desktop Preferences), then PGP Desktop Notifiers alert you when the AOL Instant Messenger (AIM) sessions that you have with other PGP Desktop users are protected.

When you use the secure instant messaging feature, a Notifier displays when you log on to the instant messaging program to inform you that your chat is secure, and a padlock icon displays next to your buddy name with most AIM-compliant instant messaging clients.

When you log off of your instant messaging program, a final Notifier message informs you that the secure session has ended.

For more information on proper configuration, as well as the use of the secure instant message chat feature, see Securing Instant Messages.

PGP Desktop Notifier for Disk features The PGP Desktop Notifier for Disk features keep you informed when you are working with the PGP NetShare and the PGP Whole Disk Encryption features.

Note: The PGP Desktop Notifier feature also displays the status of incoming and outgoing email messages on your computer. For more information, see PGP Desktop Notifier for Messaging (on page 30).

PGP NetShare

When used with PGP NetShare, the PGP Desktop Notifier feature alerts you to these things:

Actions taken to a shared folder.

Location of the affected folder.

Name of the affected folder.

Who performed the action.

PGP Whole Disk Encryption

When used with the PGP Whole Disk Encryption feature, the PGP Desktop Notifier feature alerts you to these things:

The disk being encrypted.

33 The PGP Desktop User Interface PGP Desktop Notifier alerts

The size and type of disk.

Status of the encryption process.

Enabling or Disabling Notifiers In a PGP Universal Server-managed environment, your administrator may have specified certain notifications settings (for example, whether notifications are to be displayed or the location of the notifier). In this case, the Notifier tab is not available and not displayed.

To enable or disable Notifiers

1 Open PGP Desktop and select Tools > PGP Options.

2 Click the Notifier tab.

3 Under Usage, specify if you want to Use PGP Notifer and, if so, the location. PGP Desktop Notifications can appear at any of the four corners of your screen (Lower Right, Lower Left, Upper Right, or Upper Left). Select the corner that you want PGP Desktop Notifications to appear. The default position is Lower Right.

4 If you are using PGP Desktop Messaging and you want PGP Desktop Notifiers to appear, informing you of encryption and/or signing status when you send email, select the checkbox to Notify when processing outbound email. Deselect this checkbox to stop PGP Desktop Notifiers from appearing when you send mail.

5 PGP Desktop looks for a public key for every recipient of the email messages that you send. By default, if it cannot find a public key for a recipient, it sends that email in the clear (without encryption). Select Ask me before sending email when the recipients key is not found if you want to be notified when a key is not found and be given a chance to block the email so that it is not sent. Then specify the following options:

Always ask me before sending email: Select this checkbox if you would prefer approving every email that you send. You can review the encryption status in the Notifier, and either send or block the email.

Delay outbound email for n second(s) to confirm (where n is a number from 1-30; the default is 4 seconds). To change the amount of time that outbound messages are delayed, and a PGP Desktop Notifier is displayed, click the up or down arrows. Use the delay period to review the PGP Desktop Notifier message.

(For more information on the PGP Desktop default policy settings, see Services and Policies (on page 83).)

6 For incoming email, specify how you are notified of its status upon arrival. Select one of the following for Display notifications for incoming mail:

When receiving secured emailA Notifier appears whenever you receive secured email. The box displays who the email is from, its subject, its encryption and verification status, and the email address of the person sending it.

Only when message verification failsFor incoming email, you see a Notifier only when PGP Desktop is unable to verify the signature of the incoming email.

34 The PGP Desktop User Interface

Viewing the PGP Log

NeverIf you do not need or want to see a Notifier as you receive email, select this option. This option does not affect Notifiers for outgoing mail.

7 If you want a PGP Desktop Notifier to appear briefly when you begin a secure instant message chat, and appear briefly again when the chat ends, select the checkbox to Notify for status of PGP Encrypted IM sessions.

Viewing the PGP Log Use the PGP Log to see what actions PGP Desktop is taking to secure your data.

To view the PGP Log

1 To view logs, you must turn on logging. To do this, in PGP Desktop select Tools > Enable Logging.

2 Do one of the following:

Click the PGP Desktop system tray icon and select View PGP Log from the shortcut menu. The PGP Log opens in a new window.

In PGP Desktop, select Tools > View Log. The PGP Log opens in a new window.

In PGP Desktop, click the PGP Messaging control box and then click PGP Log. The PGP Log is displayed in the application window.

3 To change the view options or filter on specific logging information, do the following:

Click the arrow for View log for to select the days of the logs you want to view.

Click the arrow for View topic to select the types of logs you want to view. Choose from All, PGP, Email, IM, Whole Disk, NetShare, Zip/SDA, or Virtual Disk.

Click the arrow for View level to select the minimum severity of log entries you want to view. Choose from Error, Warn, Info, or Verbose.

To view Verbose logs, the PGP Log view window must remain open. When you close the window, the level of logging reverts back to the default level, Info. Note that Verbose can result in some large log files.

4 When you are finished viewing the log:

To save